The following payload can be used to execute malicious JavaScript in the reporting web page:
<http://<img style="display:none" src=0 onerror="alert('XSS')">>
It will be rendered as follows:
http://<img style="display:none" src=0 onerror="alert('XSS')">
This will execute an XSS alert when the user opens the report page here; the variations can be document.cookie to steal user cookies in one scenario.